Hi,
Is it possible to access the Next-Gen WAF X-SigSci-* headers in the VCL before a backend fetch? Is the data that is put into these headers accessible anywhere?
I would like to use the data in the X-SigSci-Tags header to see if the WAF thinks the request is from a bot, and then block a specific bot, before the request is sent to the backend.
I have tried using req.http.x-sigsci-tags and bereq.http.x-sigsci-tags in vcl_miss, vcl_pass, and vcl_recv, but none have worked.
Thanks
Hey @Lewis, if I’m reading your use case correctly, we recommend building this block logic into your NGWAF workspace using our bot signals features. That way, you’ll be future-proofed as we continue to expand the product.
If you block a bot (or any other form of attack) in the WAF, the request will be stopped at the edge and not continue to your backend.
Hi @aspires, thanks for replying. We are on Adobe Commerce Cloud, so we have limited access to Fastly features. I don’t think I can access anything to do with the WAF directly? Unless there are APIs available?
I have full access to the VCL though, which is why I’m trying this route
Ah, that adds a lot of context, thanks. I’ll ask around internally for the best path forward and follow up.
@Lewis closing the loop, you should take this to Adobe’s support teams. They likely have a known path forward with this use case.
@aspires I have talked to Adobe support, and they haven’t been particularly helpful. They just gave me a link to their terms and conditions saying we have to manage bots ourselves.
But I can try again, thanks